Contents

.... participants already jumped into a lively discussion
about consent.

... First question to address - issue of first parties.

... Where in the specification do we want to address first
parties. In TPE or compliance?

bookman: Wouldn't that contradict the document we
created so far?

rigo: It is more of a footnote. Not contradiction
but more of an extention.

weiss: this would lead to two parallel
specification. We should not agree here on doing normative text. We should
first evaluate how substantial the gap is.

rigo: I agree. Additions that do not change the
existing spec. Are not of the same importance.

brookman: It contradicts the complete section 4.
Are you saying this might be wrong?

<Weiss> test

rigo: We are already saying that law overrules
the spec. This is part of this overruling of law concerning Europe.

... or in some countries of Europe

... if we bet on implied consent we could stop here.

... but continuing would be future proof.

<Thomas_Schauf> sorry ninja, I was not logged
in

weiss: I completely agree with the overriding
law. My concern if we focus on only one region's law it could dilute the
spec.

... an overly annoted spec will be less helpful than a
systematic note.

rigo: The regulated systems might be similar. I
agree should not annotate too much. But this is a fundamental choice we should
make regarding first parties.

james: There will be a window of time until 2016
when the regulation comes into force. We need to address the directive that is
in force now but also at the regulation draft which is highly in flux at the
moment.

<moneill2> +q

rigo: the issue is - we want to produce somethin
that is future proof. When we want to address the issue of storing data on the
terminal equipment of users, do we need a consent mechanism including first
parties.

.... Using DNT including first parties could rid us of the
need of window shades in many cases.

vinay: We discussed this internally. We need to
have a negotiation mechanism for European users. But users do not want to pay
more fore having an extra system only for one region.

rigo: this is where the problem starts. If
everyone is developing there own consent mechanism it would cost much more in
total.

moneill2: You need to have an option to withdraw
consent. THerefore a mechanism of giving consent needs to be in place
anyway.

<brookman> Letting one DPA's interpretation
of one law that may be superseded is not the way to drive the DNT discussion .
. .

weiss: We are discussing three different issues
right now.

<vinay> Another country/website using the
implied consent model is the Irish presidency website: http://eu2013.ie

rigo: fair point.

<vinay> where it points to browser controls
for consumers to opt out from cookies

wolf: We cannot use the ICO model for the whole
of Europe. Implied consent does not work everywhere.

... We cannot address the issue of first parties without
talking about consent.

weiss: what I struggle with is understanding how
first parties could be included in the spec without changing the whole
document.

rigo: I want to apply DNT:1 as an easy provision
for first parties to comply with the law.

... If the permitted would be aligned with with what is
currently allowed by the law this would be a huge benefit.

... If a first partie wants to do more we can apply the DNT:0
consent mechanism.

peterswire: What does it mean for a first party
if they receive a DNT:1 signal?

rigo: The response header says either I'm
complying or I'm not complying. You could as a first party always say I'm not
complying.

<moneill2> +q

brookman: At the moment a first party answers I
am a first party. I do first party stuff.

kimon: What should a first party do to honor
DNT:1 in your view?

rigo: Reaction similar to third parties. I honor
DNT, I only use the permitted uses.

... or saying I don't honor DNT but I'm legally compliant.

BREAK: COFFEE...

<Joanne> lots of side conversations still
happening...

scribenick: Joanne

UNKNOWN_SPEAKER: at some point we will return to
our regularly scheduled meeting

we have come back

Rigo: two chocies move onto consnet discussion or
continue first party discussion
... the first party addressed in TPE and compliance spec where first party can
continue normal ops
... also a rule in compliance spec that local law overrules DNT compliance
reqs

<moneill2> +q

Rigo: taking those three into acct (missed third
one) we could say if in regulated environment may also use DNT as a way to org
communication and consent with your users. DNT:0 can use exception use data set
out in DNT:0,

(not sure if I captured that correctly)

Mike: now there could be a sep browser obtaining
consent under DNT to signal consent. for dnt:1 my opinion - that consent has
not been given

Vinay: calrification ques are you proposing to
define what dnt:0 means in EU context or how companies in EU should treat all
signals

Rigo: fair q
... but

Kimon: my issue is we don't have enough pubs in
the room to understand first party issues

Rigo: Vinay's q is unanswered. Yes, Ddnt:0 will
carve out because you won't have to explain everytime just announce the diff
and user only sees relevant prompts
... can we see a system where dnt:1 is not meaningless
... if permitted uses accepted by DPA's, then don't have to discuss in face of
dnt:1. dnt:0 is only one consent mechanism - only one legal ground it offers
you for overall legal strat
... if want to go beyond - could claim OOB consent

Vinay: to proceed - get the diff between dnt and
the 1995 and eprivacy directive
... don't know if permitted uses aliagn with regulators would think is allowed
under dnt:1 scenario
... thinks we should define what dnt:1 means in diff markets

rob: we are at an intersection now. Dnt:1 or
Dnt:0 path
... tying to consent is one of the possibilities
... next to define what dnt:1 means
... vinay point is relevant

brookman: 1st party may call dnt unset and comply
in a way they want
... what is tricky part of defining dnt:0?

Vinay: how to balance dnt:1 against dnt:0 is the
tricky part

brookman: do it OOB and if you want to do that
you can.

Ninija: if want to be benefical for EU = DNT:0
needs to mean some type of consent
... other part Dnt:1 and how do permitted uses apply in teh EU and whether its
legally compliant by dpa's
... huge benfit to solve whole art 5 cookie problem and get out of rathole

Brookman: lots of ratholes..Japan, Asia, ectc.
diff in other places

Weiss: would not say I'm at point that normative
lang is the right step. more pre-occupied with Ninja's point and the user
exp
... browser choice, US default rules at this time in spec, resolve issue what
users expect will happen and how that is communicated, and have that jive with
expectations

how do you reconcile those

Aleecia: let me reverse and address
... discussing Mozilla exp
... can it be done country by country
... response - done by lang
... could imagine having many builds - spanish in EU and spanish in other
parts of the world

Kimon: implementation example (use FF in Belgium
- listing langs). how can you control this?

Aleecia: imagines lang and region together (eg
German-EU) but not country by country
... lots of issues with this - a pain. presumes many communications beyond the
browser

Weiss: agreed that there will be many
communication points

Aleecia: if do dnt right EU is 1. issue exists
with or without dnt but reduces problem
... 1. do we need to dnt:0 differently for EU vs everywhere else. not
convinced this is special. raising this as an option. one signal means the same
in all places. group could suggest that consent means highest bar

Weiss: high bar under 27 dnt means same
everywhere

Aleecia: go back to cos and figure what we can
do. if we can do that we have a win. if we can't then figure out the deltas. if
we can make the same the better

the third part - doc is the low bar for dnt;1. depending on
where users are you may need to do the more. hope for this group doc what the
more the is and id the deltas

scribe agrees with Aleecia's last statement

Wolf: not sure we can reach to deal with frag of
eu law
... not sure if this can be reached under what is allowed under dnt:1 or 0

<brookman> For the record, the language
saying that law > the standard should probably be moved within the
Compliance document. Right now, it's just in the permitted uses despite DNT
---- that is, if law REQUIRES you to keep more data, that trumps DNT.

<brookman> We should probably place the
language elsewhere to be more clear that it cuts both ways . . .

Wolf: question is what is the environment for
consent and we need to doc that.

Brookman: clarfied settings - set (1,0), unset

Wolf: political debate - is tracking allowed or
not. hardfor a co to do tracking for other legal reasons

Weiss: if spec is silent on something I want to
do then I don't need to respond.

Justin W -you may want to clarify your point in IRC - didn't
quite capture it

Rigo: lets go back to queue

Rob: either you go with EU view which puts focus
on data collection means adding privacy principles like data minizamation. US
approach ifocus on transparency and give control

<brookman> rvaneijk: there will always be a
gap between DNT and the European legal regime.

Rob: clear ther eis a gap between EU standard and
dnt standard. assumption there is always a legal gap and needs to be put into
the context of collection or control. some exs are taken in collection context
or control context
... for me its important to see we are exploring the collection limitation
path and if not fesialbe then we need to look at use limitation parth

Aleecia: no change in practice around
collection

Rigo: lets reset and wants to explore what Rob
and Justin said
... in first party context there are limitations you may use dnt:0 for
consent.
... no normative text for dnt:1 but in implementation guide. normative text
dnt:0 in TPE and TCS (hope I got this right)

Rob: collection limitation - have to define dnt:0
in the legal sense across EU.

back and forth between Aleecia and Rob...

Rob: hard to standardize data retention
genericlly (sp)
... its a way to apply PbD but doesn't solve generic standardizaion

Frank: wants to come back to Allecia
discussion
... his view. servier portal is located somewhere and the company is resp to
comply with local law. has to look at the servier not the browser

Wolf: but that is different in light of
international law.

Aleecia: state of CA example. have to guess where
user is livining

Vinay: agreed with Rigo last statement (noted for
the record) <grin>

<Weiss> but his summary was different than
what Rigo said!

<Weiss> I think Rigo proposed non-normative
text for DNT:1

<Weiss> and normative text for DNT:)

<Weiss> DNT 0 I mean

Rigo: we are a standards org as long as there is
support. Implementation guide is a help. it also means you can endorse it - if
no endorsement then need to discuss with every dpa

Kimon: can we rely on that?

discussion between rigo and kimon...

Amendment 108

<Weiss> I remember *tolerance* was the word
that made Brookman grin yesterday

Rigo: if not right normative text then
endorsement won't mean anything

James: we will look at ePrivacy directive once
the data regulation is complete.

Rigo: agreement we should define DNT:) in spec
and dnt:1 in implementation guide (how is a decision we need to make)

Weiss: not sure we have agreement
... wants to see the deltas to achieve purpose Rigo is proposing
... once we see deltas then we can determine if normative text or note is best
approach

<brookman> this is all getting a little
meta

Weiss: thought the purpose of the this group is
to id those deltas

Rigo: we need a committment to provide resources
to explre that
... what he hears can't agree to option. catch 22 situation. lets start with
the delta of the eu privacy directive. can you write down what you want to
know

Weiss: two delatas we id ysterday. 1st party/3rd
party distinction and permitted uses.

Rigo: we won;t have any normative text in specs
until there is consensus of the entire WG. consensus being sought here is do we
want to work this

violent agreement in the room

<Walter> on what?

<ninjamarnau> Walter, violent agreement that
we only propose normative text to the big group if we find consensus in this
smaller group

the group wants to work on poss normative text for the spec
and committment to work on this

Peterswire: for full group - timing observation.
F2F in early May schedule LC in July. work here needs to meet timeframe of LC
and what is done here needs to be done with that in mind
... will require thought and input form larger group

Rigo: only contraints on normative text but not
on note

Weiss: likes note

Rigo: provide first wording after the delta's
discussion

<aleecia> suggests deltas need to take very
little time

petersiwre: committed to work with group but only
if it fits into overall timetable

<aleecia> if there's a 2 week time frame for
delta (which is short, actually) we've just gone through half the time Peter
suggests before we even start talking about text

<rigo> JustinW: Want to see the delta for the
permitted uses and the ePrivacy Directive compliance

Rigo: rephrasing Rob's comments. state of data
coll minzation need consent. if we work on consent we ult work on collection
environment. control scenario - don't need consent for legal grounds, etc. if
hit with dnt:1 then need to worry. these are mutually exclusive. Rigo does not
agree with Rob on mutually exclusive

Ninja: ask rob for specific example around how
collection or use limitation will play out.

Rob: difference between setting taks for
compliance in the EU and changing the balance of control. This is very
complicated

Rgo: ninja does not believe this is mutually
exclusive
... another agrument. if you get consent browser you get control from central
point by the user.

Rob: what is meausrement criteria

Rigo: as a standard don't have to do this. Adrian
go us out this

Rob: that is dnt consent but legal consent is a
diff discussion

rigo: there will be an endorsement discussion
that will touch on normative text and implementation guide. can adapt over time
with implemenation guide

<brookman> We're not SOLVING tracking. We're
limiting it. Or trying to at least.

Rob: risk of something not being endorsed is
pretty big, and does not hav eclear feeling what we are solving as we are all
looking at this from a diff perspecitve

Rigo: we have to agree on certain wording on
specs and in longer timeframe discuss how to use tool

Rob: is the purpose of this work to become
compliant in the EU

Rigo: answer what is the delta. do we want bridge
this gap? id what add'l things are needed for EU
... get with dpa to validate what is mismatch. use German as the high bar

Weiss: asking Marcus if that is the measure - is
it the highest bar?

Mrcus: feeling German one is the trongest

sp/Mrcus/Marcus

TLR: streach goal - hearing people saying a lot
of the same things

Rigo: wants committment to work on delta

<brookman> rigo: point of this is to improve
our changes of deemed legal compliance later

<brookman> scribenick: brookman

<Joanne> thanks Justin

rigo: legal formalization of this recognition is
for the moment legally impossible because of directive model --- why we need a
regulation
... Amendment 108 is being put in precisely for things like this effort. No
one seems to be questioning Amendment 108.
... In between, just use your best bet --- talk to local DPAs, point to global
buy-in, &c.
... Not precluding any potential dispute in court, just making a tool
available for deemed-ish compliance.
... Need commitment from folks to work out what the delta is (ed: deltas
are)

<Thomas_Schauf> +q Julia

rigo: Would like someone from industry and
DPAs

thomas: If DNT a legal tool, why are we orienting
it to the e-privacy directive?
... If policy arena is out of scope, we need a broad DNT standard so it can be
adaptable to different markets
... 1, 0, unset need to be adaptable so different people in different
jurisdictions can comply with varying laws

rigo: I just want someone to agree to help me
find the deltas!
... legitimate question about whether the gap is too big (between current
permitted uses and Euro law)

<aleecia> which people in the room can do
this?

rigo: if we come back and say "Oh my God!" we
will have to provide guidance in the implementation guide.

<aleecia> small set, yes?

tlr: Let's use *some* stringent jurisdiction as a
benchmark and get action items assigned to map compliance vs that jurisdiction
---- that will be a proxy for overall discussion

Julia: We have very different intepretations of
e-privacy directive even among German institutions. So there's that.

<Thomas_Schauf> +q

aleecia: Can we just get someone to draw up
*some* interpretation of *something*? And then we can do deltas vs. the deltas
(ed: grumble)?

thomas: After the work on DNT, we may have the
Regulation in place, and maybe we won't have Directive problems

rvaneijk: But if you want endorsement later this
year, I have concerns. But willing to share what we are think are the
issues.

<trackbot> Created ACTION-380 - Invite Frank
into the Group [on Rigo Wenning - due 2013-03-19].

rigo: We have successfully concluded the first
party/third party distinction. <general laughter>
... half an hour left to discuss requirements for consent and/or DNT:0
definition
... "freely, specific, and informed"

rvaneijk: isn't that really part of the deltas
(comparing Euro law to compliance spec)

Not sure how you can map when there isn't a definitive
statement on this in the compliance doc today

rigo: I have put something together on my own
(with no input) to present to the group on what DNT:0 should do.
... Based on P3P and data classes.

<Weiss> Question: is DPA endorsement of plan
(including possible normative text) a pre-condition to submission to full DNT
working group for approval?

rigo: You be very specific about what you're
collecting: name, employment data, etc.
... We can say what needs a prompt and what doesn't.
... If you go beyond what we define as permissible, then you would need a
window shade and not a button.

rvaneijk and vinay: We need more explanation about what the
schema are.

vinay: How will browser know what's being
collected?

rigo: It won't know. You would need additional
P3P implementation to tell the user what you're actually doing. DNT:0 is a
potential allowance, not a precise statement about what's actually
happening.
... To say what you're actually doing, you would need to do P3P.

tlr: You're conflating a few things here.
... We don't have a shared understanding of P3P data schema among the people
in this room
... Maybe better to say, hey, there are data classes. Among those, let's say
that DNT:0 = consent to play with those data.

rigo: The javascript API would allow you to
convey a message to the user. If you're within DNT:0 confined, you wouldn't
need additional interaction.
... But if you're talking about sensitive data (medical, sexual, sensitive), a
button is not enough, you would also need a shade

aleecia: I think you're doing this to reflect
that consent has to be specific. But since this is just potential instead of
WHAT YOU'RE ACTUALLY DOING how is that actually specific?

<rigo_> rvaneijk: we need not only data
definitions, but also purpose definitions (tracking)

rvaneijk: If you're tying this to consent, this
is WAY TOO MUCH detail to qualify the element of specific.

aleecia: Having this level of specific disclsoure
was one of the key implementation difficulties of P3P.
... suggest we not do this.if it will be a barrier to implementation.

peterswire: Maybe just say that that DNT:0
doesn't apply to "sensitive data" in Article 8.

The definition of DNT:0 *will* be in the standard.

rigo: Hey, you guys asked for a definition of
tracking.

peterswire: Why not just say that DNT:0 = the
right level of consent under EU law except for sensitive stuff under Article
8.

<aleecia> peter++

rvaneijk: If DNT:0 = normal consent, then you
need to do more for sensitive categories.

vinay: How could the API mechanism store special
status for "sensitive data"?

<rigo_> JB: Don't know why we have to spell
out the level consent.

<rigo_> ... DNT just signals consent

moneill: maybe this ties to the albrecht
amendments re pseudo data

rigo: The idea is that you need legal and
informed consent. You are in a specific context which should be clear to you.
In this content, you signal DNT:0. And DNT:0 means that you agree to this data
collection.

moneill: DNT:0 is just a signal.

rigo: We are trying to standardize a description
of DNT:0 that requires window shades.

moneill: Window shades are a UI. We're not
supposed to be worried about that.

rigo: But if you leave everyone to fight with
their DPA over what constitutes consent, then you don't have
standardization.

moneill: Is that our job?!?

rigo: That's my plan.

+1 to moneill

weiss: Going back to UI question. I hear you to
say: First they see the browser offering DNT choices. Then they see what the
website sends back to interpret that consent. If they're playing with sensitive
data, it will be really big and robust. If it's more commonplace, it can be
more lighttouch.
... In either case, it will be some sort of pop-up to clarify the scope of
consent.
... Is there any scenario where a pop-up of some sort isn't required?

rigo: It could be the case that we could agree
that certain of these things are normal processes so you don't need a pop-up
every time.

weiss: But "tracking" is different than what the
e-privacy directive covers.

rigo: I'd like a def that covers 98-99% of the
average use cases.

weiss: And how will the user know what's
covered?

rigo: We don't specify --- leave it to the site
to specify. They can have a personalization button. People over time will learn
what this means

rvaneijk: A limited list could work when you're
dealing with exceptions because you want to put constraints on something. But
this is the other way around. What if new data flows/usages pop up? If there's
a category of "others" that could weaken that definition.
... Not sure limited list really works here.

rigo: You can describe things in lots of ways:
everything but . . ., or bottom up, or positively describe everything.
... If we define tracking in a specific way, maybe that means a relatively
small window frame.

rvaneijk: Isn't that point of all this to NOT
have pop-ups for everything?

moneill: DNT can keep state on the user in the
browser per website.
... DNT:0 has a site-specific exception that can be stored in the lawyer.

peterswire: I don't see why people don't get
this.
... This is like a standard contract that defines the 12 ordinary things. If
you're outside that list of 12 things, then maybe you need to do something
more.
... This is standard across a lot of industries..

aleecia: This isn't specific consent.
... I guess you could in the browser say I consent to all 12 things going
forward for everyone. But that's not specific consent.

ninja: I see dnt:0 as a standard contract. (1)
They need to be accept that DNT:0 isn't a white card to do anything. (2) We
need to get all the DPAs that even if it's just 12 things, is that specific
enough.
... compares this to the Google privacy policy.
... not specific enough.

rigo: maybe that means that our standard contract
is not good enough.
... If you sign up prospectively for personalization across some set of sites,
no need for pop-up shades.

peterswire: Responding to Google point.
... Euro law cracks down on standard contracts that are not proportional. But
we can define 12 things that might work here.

ninja: Also concerned about lock-in. Maybe not as
big a deal as I originally thought.

<Weiss> correction for scribe: "log-in," not
"log-in"

rigo: consent for 12 things is what DNT:0 means,
if you want more it has to be out of band.

<Zakim> ninjamarnau_, you wanted to suggest a
lunch break

ninja: We are 12 minutes behind and it's
lunchtime.

aleecia: I want to come back to rvaneijk's point
--- you need context, can the 12 point contract work?

vinay: it sounds like euro regs might want DNT:0
just for the more benign uses (like first party analytics). But not
OBA/personalization.

rvaneijk: Not sure where the threshold should
be.

rigo: You can do DNT:0 store for that more
sensitive stuff, but I will explain privately during lunch (!?)

<breaking for lunch>

<haakonfb1> scribenick haakonfb

Rigo: DNT:0 have a basic understanding after
peterswire: standard contract

… what this contract will look like will be subject to
fierce debate

… now a meta discussion. The industry comments: 1) we do DNT
and 2) EU regulation is not industry friendly

… do we want to discuss how DNT is used in the Brussel
policy discussions?

… do we want a sanitisation of DNT?

… what is the relationship to self regulation?

… should we bring into the table what we other groups are
doing?

… should we have this discussion?

rob: would like to se DAA at the table. Will DNT
take part in the notice framework.

<rigo_> Julia: q?

rob: idea to create neutral table - with everyone
that matters in the ecosystem.

Rigo: When you are debating DNT - invite someone
from this table to present ideas about DNT to EDAA board?

Julia: It is a nice offer

Thomas_Schauf: How could an cooperation work on a
technical level.

… serve to the consumers. not competing solutions, but
cooperative solutions.

rob: demonstrates no support for DNT in European
industry.

Kimon: Look internally for solutions. Don't see
DNT will replace the need for the commitments made.

Justin: Usecase of DAA participation. Clearest
path to interoperability: DNT could be one of many signals to trigger the
commitments.

… EDA has it's own code of commitments. The interoperability
depends on the different commitments map.

… there is a potential, but need something clear to compare
against.

rigo: either need to talk to the board, or
someone has to provide a dif.

… rob saying no one is coming out

Thomas_Schauf: Industry supports DNT - invest
time+++

… EDA around the table. Robert Madelin told W3C invite
EDA

… will go back to the steering group and ask them to accept
the invitation

… technical cooperate or define who is first and second in
the user dialogue

… this work will take time.

rigo: the only thing that counts is commitment to
come back with a result on the question: What is the dif between EDA and the
DNT permitted uses.

kimon: we make sure that EDA will now

Thomas_Schauf: Rigo send an email to Kimon, Julia
and Thomas about this.

<trackbot> Created ACTION-381 - Send email to
Thomas Schauf, Kimon and Julia to get someone from DAA to help with the DIFF
between permitted uses in TCS and the allowances under Opt-out in the EEDAAA
framework [on Rigo Wenning - due 2013-03-19].

rigo: succeeded skipping the first part by
directly discussing the meat of it. expected this to be a big battle. Allotted
lots of time to it

rob: is it consensus to commit to a strong
DNT-standard while we are waiting for the new DP regulation?

… does this consensus exist?

Vinay: A challenge would be to understand the
interplay spec and regulation - and the timing. Difficult to accommodate the
standard without knowing the content of the regulation

rob: as any external risk factor. has to mitigate
that risk.

Vinay: Companies know the current law. Companies
would wait for the new regulation before changing behaviour.

… wouldn't worry about the DNT standard in the mean time,
but will wait for the DP regulation

rigo: we need speaking points against this
argumentation

justin: I see more uncertainty with getting
certification / approval for a solution. DNT will not be a complete tool for
compliance.

peterswire: Common in the past with a version 1
and then people learn and then a version 2

… companies prefer building once, not required to
reengineer.

… how is this reality handled in other W3C cases?

rigo: It has been order and chaotic approaches.
Example: Big debate XML schema. one side: too much fluff, other side: we need
to specify all the details. Both ways happened. let the market figure it out

… Web as platform: Defining all kinds of relations to device
APIs etc. Not the assumption that what they are doing is the ultimate solution
in 5 years. Want to solve the current situation. We cannot decide to throw the
connection approach out of the window

… we need the delta: this is what you need to do to
comply.

… we are in this regulation discussion. The industry *and*
DPAs are under pressure.

… if small gap political solutions are possible

… implementation guide can be approved by DPA(s)

… our chances for success depends on the gap analysis.

… can we whenever we are asked say it this is not a panacea,
but trying to solve a specific problem for the web.

justin: we define that problem after the gap
analysis

rigo: we have some challenges wrt permitted uses,
but not likely a big gap

Vinay: gap will be about first party vs third
party and permitted uses

justin: priority is the gap analysis. that will
identify our issues

<rigo_> Justin sees the biggest issue in
First Party reaction on DNT:1 signal in Europe. This will be subject to the gap
analysis

peterswire: Question: Compliance cost - I just
want to only build once. In Europe: Why should I do anything on DNT:0 when the
regulation can change everything

… gap analysis - useful for getting ready for DP
regulation.

… why should we implement DNT:0

rigo: US compliance stands for basic protection
on the web. In Europe could have a similar but different function

… instead of everybody on their own, try to get together 80
percent of the result with 20 percent of the effort.

… remove the shading + providing users control

… you enable to give the engineers their say in the
debate.

… also discuss the technical aspects

… by removing most annoying parts avoid arm-race between
blocking and tracking technologies.

… ref geolocation. The browser must provide the user a
certain interface. Grant and revoke access to location.

… dnt-system: would have the advantage by providing this
kind of interface. It is a clean and viable framework.

peterswire: by have engineers and the general
terms we will facilitate a more orderly transition.

rigo: 108 Amendement does not stem from the
industry, but the green party

… by offering first kind of shot we have three years to
create version 2.

peterswire: This is the best path to end up with
a good technological solution.

rigo: go away from the original agenda. When this
group agrees on normative texts for the specs, text will be added.

rob: are you going to inform the big group about
progress here?

… informing allows for others to enter into this work

peterswire: summarise the conclusion and bring
back to bigger group

… allows for other perspectives to be included

rigo: July deadline - last call

peterswire: (outlines the step of w3c process)

<brookman> Whoa, there's interservice
review?

rigo: last call is used to clear up any
dependencies. All other groups look at the spec to identify any
dependencies.

… public available - gets comment from the general public

… has to address the public comments

… next step: candidate recommendation. The industry
implements the spec. New issues might be discovered, and the spec has to be
fixed.

<haakonfb> justin: Status in Canada: Law
about behavioural advertising. The privacy commissioner has assed DAA
principles++

Joanne: several similar questions from PIPEDA in
the Privacy Directive context
... Commissioner ananlysis of OBA and outlined conditions of transparnecy
requirements
... oppy to takethat piece to do a gap analysis

Rigo: can you send th epointer to this report

Rob: Andrew Patrick replied to Chris M's comments
so its on mailing list

<trackbot> Created ACTION-382 - Take Canadian
references to OBA "Guidelines on Online Behavioral Advertisement" report and
link it from the Global consideration page [on Rigo Wenning - due
2013-03-19].

rob: should not limit the discussion to just
consent; but should also include 'revoking consent'

<moneill2> +q

should be easy

not just globally, but individually

rob: very essential element for regulatory
framework

mike o'neill: important for consent

brookman: can't you just say dnt:1 and then get
the pop-up again

rob: the how question and the what question are
different
... the option needs to be a requirement

<rigo_> rob: there should be a requirement
that the browser must offer a possibility to revoke the consent

<Weiss_> scribenick: Justin Weiss

Rigo: I think Opera is not opposed
to having a requirement that revocation should be possible, but they will be
'allergic' to the revocation window design

Vinay: should you accept global
revocation or site specific? That kind of requirement could be contemplated

...the question to the browsers
is whether granular revocation is possible

Moneill: site specific DNT:1 could
be put in now before last call as a requirement

> . . .now the API can only set DNT
zero

Brookman: there's no reverse
exception right now

Ninja: do we really want negative
exceptions and generate use cases for this?

Vinay: any dependencies that rely on
the browser should be avoided, because we can't depend on them

> (channelling Roy)

Moneill: raised with Matthias before
-- and I have presented multiple use cases

Brookman: there are out of band
exceptions. YOu could require sites to use opt out cookies, for example
(laughs)

Rigo: how long will it take you to
paste in next steps and major agreements?

Peter: will paste in wrap up and
summary for discussion

<peterswire> 1. The group had a constructive
discussion, with civil and detailed analysis of the relevant issues.

<peterswire> 2. Task Force should proceed.
There was consensus that the Global Considerations Task Force (GCTF) should
continue to work on issues relating to DNT:0 setting. Members of the working
group are welcome to join the GCTF mailing list at ___.

<peterswire> 3. Gap analysis. The first task
for the GCTF is to assess the delta between the current DNT draft specification
and what is legally required under current EU law. Also, assess the delta
between the DNT draft specification and the EDAA approach. There may be a
similar gap analysis with respect to Canadian law, pursuant to the opinion of
the Office of the Federal Privacy Commissioner concerning OBA.

<peterswire> 4. Standard contract. Once gap
analysis is concluded, there will be discussion, including DPAs, industry, and
other stakeholders, of the meaning of DNT:0 compliance. The group discussed the
possible usefulness of a “standard contract” that could be understood in
the EU as authorizing a number of actions by the server. The standard contract
would not have to address all possible uses; for instance, it likely would not
authorize collection and use of

<peterswire> “sensitive” data such as the
categories in Article 8 of the EU Data Protection Directive.

<peterswire> 5. Provide technical forum that
informs EU discussions. The W3C process offers a helpful convening of multiple
stakeholders who are involved in the ongoing discussions in the EU about future
data protection measures. Specifically, the W3C includes participants with a
strong technical background. The GCTF had consensus that the W3C work should
continue, to provide this technical and stakeholder input.

<peterswire> 6. Time line. The GCTF plans to
work intensively to determine if normative text is appropriate concerning
DNT:0. The GCTF understands that normative text is subject to the Working
Group’s July, 2013 deadline for Last Call. It also understands that any such
normative text would be included in the compliance spec only if consensus is
reached in the Working Group.

<peterswire> 7. Possible non-normative text.
In addition to determining whether and what to propose as normative text, the
GCTF may work on non-normative text. Specifically, the group discussed the
possibility of drafting a Note, which would be subject to discussion and review
in the full Working Group. Topics of the non-normative text may include a guide
about compliance with the compliance spec, with citations and assistance to
organizations in different regions

<peterswire> about local requirements and
implementation.

Brookman: in the main group it will
be controversial to repurpose DNT:)

> DNT 0

Brookman: spec could be revised in
'minor' ways as a viable alternative to the idea here

Peter: next to standard contract,
there could be another path

Vinay: could be a part of the
compromise

Rob: important to emphasize the 'go'
'no go' discussion about the group after gap analysis. .. .

...second point is a procedural
question about the mandate of the group. The blueprint itself should get an
'ok' consensus from the full group. Needs to be anchored in advance.

Swire: full group Wed call will
review summary here

> . .. or via email

Rob: it should be a formal group
decision

...I also have to explain back at
the office to justify the travel and work; many are in this camp

<vinay> at least some of us in the industry
are in that camp, too

Peter: Number 4 will be rewritten

Sherwood: how do we envision input
from this group to an EU legislative process?

Peter: This language is carefully
crafted to be cautious in characterization of the role of the group

...to 'provide' technical
stakeholder input;

Sherwood: so is lobbying
contemplated?

Peter: mere participation will
inform other secondary outreach by participants

> . .. taskforce members will provide
the input directly themselves

Rigo: in Brussels, there is already
DNT discussion

> . . .they may know very little about
DNT technically. So if participants make factual statements about DNT, they can
come to this group to ask whether it's aligned with our goals

Sherwood: members are provided as a
resource to those involved in the legislative discussion

Peter: Agreed.

Rigo: explanations with pictures and
such are contemplated. . .

<peterswire> The GCTF had consensus that the
W3C work should continue, and that these discussions will inform the
participants and thus the ongoing debates.

Julia: there are diverse backgrounds
within the steering group - some participants may want that kind of briefing
too

<peterswire> The GCTF had consensus that the
its work should continue, and that these discussions will inform the
participants and thus the ongoing debates.

Rob: let's document the criteria
that will inform the 'go' 'no go' decision

Peter: Yes, we'll rewrite this
text

<brookmanOption: There was some recognition
at the meeting that the DNT standard we're negotiating will in any event not be
sufficient to reach the level of legal requirements in the European Union (and
quite possibly elsewhere). Instead of repurposing DNT:0 as web-wide (or more
granular) agreement to a set of less controversial uses (such as first-party
analytics, first-party personalization, or audience measurement), we could edit
the TPE (and to a lesser exten[CUT]

<brookman> ) to allow for *any* party (first
or third) to take advantage of the exception-API mechanism to ask for consent
if that party believes that adhering to the DNT standard alone will not be
sufficient for legal compliance in a particular jurisdiction. Thus, if a first
party believes it needs consent to do first-party analytics despite the TCS
exemption of first parties from compliance obligations, that first party could
call the exception-API to get permissi[CUT]

<brookman> engage in tracking on its own
domain. Or if market research was deemed a permitted use, an audience
measurement company could still trigger a call to the API for consent to track
around the web even if the TCS allowed for market research.

Brookman: lets' document this and
consider as part of 'go' 'no go'

Rigo: if you want to have a
description of the context, you have to give information before permission. But
if you take permission out of the context, then you have another problem

Rob: more interesting to focus on
purpose limitation and permitted uses, in function of consent

> . .. and secondary uses

<rigo_rob: purpose limitation and secondary
use are central to the consent. You should stay close to the purpose for which
the data has been collected for.

<rigo_> .. re-use may trigger a new request
for consent

<rigo_Justin: unless it is compatible?

...you should stay close to the
original purpose for which it was originally collected

<rigo_Rob: yes...

<peterswire> 5. After the gap analysis. One
gap analysis is concluded, there will be a go/no-go discussion about how and
whether the GCTF will proceed. That discussion will include consideration of
the practicality and implementability of any normative text. One path may be
drafting of a “standard contract” that could be understood in the EU as
authorizing a number of actions by the server. Another path might recognize
that meeting the DNT:0 standard will not be

<peterswire> sufficient to reach the level of
legal requirements in the EU (and possibly elsewhere). In that case, an option
might be to explore if DNT:0 could be a mechanism for providing a specific
grant of permission by a user to an action by a server.

Rob: an option would also be to
close the group

Rigo: if gap is too big, and prefer
mutual destruction

...the game is over

Vinay: I think Brookman's language
is an option, that would be surprising for the full DNT group to accept, but
it's possible

Rigo: Brookman includes DNT: 0
mechanism, and excludes DNT:1 for first parties

...but even DNT 1 for first
parties is a beneficial option for industry, serving as a safe harbor

...if you specify it, and it's
recognized as an option, you are not forced - but you can claim in the absence
of consent my implementation follows these rules

Vinay: I see that -- but customers
don't want that

Rigo: but if this group had as much
trouble understanding our discussion, so did the clients. Maybe a second pass
is worth it with them.

Rigo: so from here we are now
constituted

> biweekly teleconference is the next
step, probably starting next week